Is Your Company GDPR Compliant?

Laura Kearsley

Making Your HR Policies And Procedures GDPR Compliant

GDPR (General Data Protection Regulation) is coming and the changes will mean that you will need to rethink some of your employment and HR practices.

The headlines around GDPR have focused on the possible increased financial penalties for getting things wrong but there has not been much detail around what organisations, and in particular, employers, need to be doing to prepare and to comply with the new rules from 25th May onwards.

Impact Of The GDPR On The Employment Relationship

1. Recruitment

Whether you collect data directly from applicants or via a third party (recruitment agency) you need to provide those applicants with an appropriate privacy notice setting out:-

  • Purpose for processing
  • Your legal basis for processing
  • Period of retention for each category of data
  • Their rights

In addition, you need to consider documentation received and generated during the recruitment process and what you will do with information relating to unsuccessful candidates or speculative applications.

If you use an agency or other third party they will probably be a data processor and you will need to ensure you have a written contract with them.

2. New Starters

It is likely that you collect further information from successful applicants and also conduct pre employment checks and take up references.

You will need to provide new starters with your data protection policy or equivalent document.

Again if you use third party data processors (eg payroll, occupational health providers) you will need to ensure you have written contracts with them.

3.  During The Employment Relationship

You will probably continue to collect data about employees during the employment relationship such as health, sickness and absence information and details of disciplinaries, grievances and performance issues.

This will need to be covered by your policy and/or you may need or choose to obtain explicit consent.

4. Termination Of Employment

GDPR does not set out specific retention periods for employment records.  You must set your own time limits for holding and deleting data.  Only information that is still needed should be retained and you should consider the risks specific to your business and be transparent about what data you retain and why.

Applicants, employees and ex-employees will still be able to make subject access requests for copies of data you hold about them (and in the majority of cases you will not be able to charge for this and will need to comply within a month).  You should also be prepared for data subjects to exercise their other rights under the GDPR such as the rights to request that data held about them be corrected if inaccurate or deleted.

What Should You Be Doing To Make Your HR Policies And Procedures GDPR Compliant?

  • We recommend that you undertake a data mapping exercise to assess what data you obtain and hold for job applicants and employees and to check that there are written contracts in place with data processors.
  • ​​​​​​​You should prepare a privacy notice for job applicants.
  • ​​​​​​​The next step is to review employment contracts and existing data protection policies.  Most clauses and policies will not be compliant and likely require amendment / replacement prior to 25 May.​​​​​​​
  • ​​​​​​​You will also need to consider the impact on other HR policies and make appropriate amendments to those.
  • ​​​​​​​Internal procedures will need to be implemented to ensure compliance and to make sure that retention periods are adhered to.​​​​​​​
  • ​​​​​​​You should be prepared to recognise and deal with subject access requests and the changed rules in relation to them.

HR Policies And Procedures GDPR Compliant

How Nelsons Can Help

Laura Kearsley is a specialist Employment Law Partner at Nelsons.

We are offering template privacy notices and data protection policies for a fixed fee along with optional support in tailoring this documentation and rolling it out across your workforce.

We are also offering bespoke training packages for HR teams or groups of employees, so that you can embed data protection in to your culture and evidence your efforts to comply with the new regime.

Our team can provide expertise and guidance on any queries around the changes you need to implement in order to comply. For further information, please contact our employment law specialists on 0800 0241 976 or contact us via our online form.

This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us